[Feature Request] SSL Client Certificate Auth

[CraftyCanine]

For my setup, I tend to be extra cautious with my external interfaces. I decided to use SSL client certificate authentication (through NGINX) for all web services that my server hosts (Sonarr,Radarr,Tautulli, etc). I access them through reverse proxy under different subdomains of the main domain. For example https://sonarr.blahblah.com:443, https://radarr.blahblah.com:443. The downside is that using client certificate auth means that when I want to use apps like this, I need to connect via a VPN to access the local interface to get around the client auth requirement (http://x.x.x.x:8989/ for Sonarr for example).

I see that you already have HTTP auth. Would you consider adding client certificate authentication for LunaSea? Unfortunately, I don't think it's possible to use the OS cert store so it's possible it might be a bit difficult to implement. I see you do have HTTPS support though so if you're using standard openssl libraries, they may already have support for it.

[JagandeepBrar]

I took some time looking into it, and it's definitely possible but would require some reworking to implement such a use-case.

I'll need to do a bit more digging, as all documentation I could find requires compiling the application with such certificates and private keys attached as assets in the application. This obviously isn't feasible since nobody would have the same certificate/private key.

[JagandeepBrar]

Hey there, sorry for the long time on being able to take a deeper look into this but I think I have found a way to make it work!

I have switched to a new package for managing HTTP requests, which includes the ability to easily set a certificate on the request: https://github.com/flutterchina/dio#https-certificate-verification

I think the way to do this would be to add a new folder in the LunaSea application folder (certificates, or something) where a user can drop in a certificate file (I'll figure out the naming scheme soon). Then when the application attempts to connect it will check for a certificate, and use it if needed (PEM or PKCS12).

I'll be adding this in v2.1.0 as long as no huge barriers appear!

[CraftyCanine]

Awesome news! Thank you for doing the research! Not everybody uses this setup so it means a lot that you'd look into it to support the less common setups as well! I'm on your TestFlight so I will definitely do the testing if I see the feature come up in a future update. Thanks again!

[JagandeepBrar]

I have just published TestFlight v2.0.1 (55) which includes support for disabling SSL/TLS validation within LunaSea! This means that self-hosted certificates should now be supported, you can toggle the setting in the configuration pages in the settings for each service.

As I noted in the dialog, currently this disables the ability for most images to be loaded from the server currently, I am looking into a resolution for that.

[CraftyCanine]

Hello. Thank you so much for your work on this! In the security world, https with a self signed certificate is way better than regular http any day so this is a big step forward! However, I think you might have closed this request prematurely(?). The feature I requested was for supporting https client certificate authentication (as described here: https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-authentication-part-1/ba-p/324623), not self signed certificates.

[JagandeepBrar]

@CraftyCanine Sorry, you're right!

Thank you for the link, that's very useful. I'll continue to work on getting this implemented!

[JagandeepBrar]

I am moving all feature requests to a new location, so I am closing the issue: https://feedback.lunasea.app/b/feedback/p/ssl-client-certificate-authentication

[pedropombeiro]

I am moving all feature requests to a new location, so I am closing the issue: https://feedback.lunasea.app/b/feedback/p/ssl-client-certificate-authentication

This link is broken.